Contact us: info@akimbocore.com

Wireless Security: WEP

Published: 19 October 2020

It’s well known that the WiFi security protocol WEP is broken. It’s been broken for years. However, if we’re writing a series on wireless security we should start at the beginning. Whilst it stands for Wired Equivalent Privacy, it hardly lives up to its name. WiFi comes under the IEEE 802.11 family. WEP was part of the original standard and was quickly superseded by WPA – WiFi Protected Access.

WEP can be broken using the aircrack-ng suite. However you will require a compatible wireless card with features such as injection support – the aircrack-ng documentation discusses supported cards. In this article we’ll be using a USB Alfa AWUS036ACH, which inside has a Realtek RTL8812au. To get injection support requires patched drivers, but again they’re available from aircrack:


Continue Reading

Wireless Security: WPA

Published: 19 October 2020

We previously spoke about WiFi security and how utterly broken WEP is. Now it’s time to take a look at WPA and WPA2 bruteforcing. This isn’t the only weakness of these protocols – but weak keys are common. The first thing to note is that the key-length for WPA is between 8 characters and 63 characters – this is important when building brute-force word lists.

Setting up the tools for these attacks is very similar to our previous post. We’re going to be using aircrack-ng and you’re going to need a compatible wireless card. We’ll be using a AWUS036ACH, with a Realtek RTL8812au. Drivers to support injection can be installed on Kali Linux.


Continue Reading

Breaking Enterprise Wireless

Published: 19 October 2020

In our previous posts we discussed how WEP is completely broken, known weaknesses with WPA, and bruteforcing WPA using AWS. This time around it’s time to look at “Enterprise” Wireless security. These are networks protected with EAP – Extensible Authentication Protocol.

However EAP is not just one protocol, but a collection of protocols. We won’t be breaking down every authentication method here, we’ll simply be highlighting that using Enterprise security for a wireless network doesn’t immediately remove all risk – and can in fact introduce more risk.

Both EAP-MSCHAPv2 and EAP-TTLS utilise password based authentication; for example to authenticate to Active Directory. This could be a machine account or a user account. This addresses one of the issues with WPA, which is the difficulty in revoking a user’s access to the network – as all devices use a single Pre-Shared Key (PSK).


Continue Reading

Extracting Domain Hashes: Mimikatz

Published: 14 October 2020

We previously covered how to perform incredibly fast hashcracking with AWS. In this post we’ll take a step back, and look at one simple method to extract the hashes from a domain controller. To be clear, this is a post exploitation step and to perform these steps a domain administrator account will be needed.

There are several tools which can be used to extract hashes directly on a domain controller, such as fgdump or Meteterpreter’s hashdump too. However, Mimikatz can perform this step from any domain joined machine, which is a little easier and often a benefit when it comes to antivirus evasion steps.


Continue Reading

Bruteforcing Windows Accounts

Published: 19 October 2020

A common configuration on Windows Active Directory accounts is to have an account lockout threshold of say, 5 invalid attempts, and an observation window of 30 minutes. This is likely due to the fact that the “Suggested Setting” after setting a threshold is to enable a short observation window.

When setting an account lockout threshold, Windows “suggests” that you set the observation window at the same time, to 30 minutes. The observation window is often overlooked as a security risk; however it allows an attacker to perform a bruteforce attack without locking an account.


Continue Reading

Bruteforcing Kerberos

Published: 19 October 2020

It is possible to brute-force Windows accounts directly, using tools like Metasploit using modules such as smb_login, which will target port 445 (SMB). However, it’s also possible to brute-force the Active Director authentication protocol Kerberos directly.

This can be beneficial to an attack for two reasons, the first is that it will be logged differently and depending on how the blue team are monitoring for attacks it might fly under the radar. A standard login attempt that fails will result in event 4625, whereas a failed Kerberos login attempt will likely result in event 4771.


Continue Reading

Kerberoasting

Published: 19 October 2020

Any domain user within Active Directory can request a service ticket (TGS) for any service that has an SPN (Service Principal Name). A part of the service ticket will be encrypted with the NTLM hash of the target user, allowing for an offline bruteforce attack.

This is true for user accounts and computer accounts, but computer account passwords are randomised by default and rotated frequently (every 30 days). However service user accounts may have weak passwords set which could be cracked. This attack is commonly called Kerberoasting. Although, don’t confuse this attack with the similarly named ASREP Roasting. A common setup where you might find this vulnerability is where a service account has been set up for Microsoft SQL Server.


Continue Reading

ASREP Roasting

Published: 19 October 2020

If an Active Directory user has pre-authentication disabled, a vulnerability is exposed which can allow an attacker to perform an offline bruteforce attack against that user’s password.

This attack is commonly known as “AS-REP Roasting” in reference to Authentication Service Requests, a part of the process of authentication with Kerberos. An attacker who is able to find a user with pre-authentication disabled can request an AS-REP ticket for that user and this will contain data encrypted with the user’s password.


Continue Reading

PrivEsc: Extracting Passwords with Mimikatz

Published: 19 October 2020

We recently published an article on using Incognito for privilege escalation as part of a short series on using Metasploit. In this article we’ll cover an alternative approach for privilege escalation – extracting plaintext credentials. Whilst incognito is generally easier to use, Mimikatz is powerful and flexible.

In this part we’re just going to look at password extraction; but Mimikatz can be used for many other attacks – such as extracting domain hashes from a domain controller. As before, password extraction is really a post-exploitation steps and is very useful for escalating from local administrator access to domain administrator access. As this is a post-exploitation step, we’ll be starting with a SYSTEM shell through PsExec for this demonstration. As an example of when these steps could be deployed, they could be a step taken after successfully performing an attack to gain an initial foothold such as LLMNR and NBT-NS Spoofing, which we covered previously.


Continue Reading

PrivEsc: Token Impersonation with Incognito

Published: 19 October 2020

Incognito is a tool which can be used for privilege escalation, typically from Local Administrator to Domain Administrator. It achieves this by allowing for token impersonation. As a local administrator can read the entirety of memory, if a domain administrator is logged in their authentication token can be stolen. We'll investigate its use here.

There are several types of authentication token on Windows systems, but Delegation tokens can be used network wide. This therefore allows an attacker to extract one of these tokens and then execute commands on other machines (such as the Domain Controller). Incognito can be executed within Meterpreter, or as a standalone EXE.


Continue Reading

Network Mapping with Nmap

Published: 19 October 2020

Before being able to determine if systems are vulnerable, it’s critical to first find as many active systems within the scope as possible and to accurately determine what services those systems expose. A common tool for use in network mapping is Nmap.

Before we start looking at the many, many, options that Nmap has, we'll take a look at a simple example. Nmap can be invoked with a target IP address and it will perform a default scan. If Nmap is invoked with administrative/root privileges it will perform a "half-open" SYN scan which is beneficial for its potential to be stealthier and faster than a "full" scan. A full-handshake scan can will be performed if administrative permissions are not granted, or optionally with the -sT flag.


Continue Reading

Using Metasploit

Published: 19 October 2020

Metasploit is an exploitation framework. It’s a core tool of the penetration tester’s toolset and we use it for several of our vulnerability demonstrations, so it makes sense to write a quick “introduction to” for Metasploit. We’re going to look at the module system, navigating around, setting variables and running payloads.

Since there are so many modules, it's worthwhile becoming familiar with the search functionality. You can search for modules using the "search" command, and you can filter results based on features such as module type, CVE number, or platform. The command "help search" will reveal all filter options.


Continue Reading

LLMNR and NetBIOS-NS Spoofing with Responder

Published: 19 October 2020

Link-Local Multicast Name Resolution (LLMNR) and NetBIOS-Name Service (NBT-NS) are name resolution protocols that are enabled by default on Windows machines. They’re both used as a fallback for DNS. If a machine requests a hostname, such as when attempting to connect to a file-share, and the DNS server doesn’t have an answer – either because the DNS server is temporarily unavailable or the hostname was incorrectly typed – then an LLMNR request will be sent, followed by an NBT request. LLMNR is a multicast protocol and NBT-NS is a broadcast protocol.

Therefore, an attack can take place where an attacker responds to these requests with illegitimate requests. For example, directing the requesting user to connect to the attacker's machine where an authentication attempt will be made – disclosing hashed credentials for the targeted user.


Continue Reading

Fixing LLMNR and NetBIOS-NS Spoofing

Published: 21 January 2021

In our article LLMNR and NetBIOS-NS Spoofing with Responder we stepped you through how to exploit a very common issue on Windows networks. In this one, we’re going to cover how to fix it.

Link-Local Multicast Name Resolution (LLMNR) and NetBIOS-Name Service (NBT-NS) are name resolution protocols that are enabled by default on Windows machines. They’re both used as a fallback for DNS. If a machine requests a hostname, such as when attempting to connect to a file-share, and the DNS server doesn’t have an answer – either because the DNS server is temporarily unavailable or the hostname was incorrectly typed – then an LLMNR request will be sent, followed by an NBT request. LLMNR is a multicast protocol and NBT-NS is a broadcast protocol.


Continue Reading

Securing Wi-Fi Networks

Published: 23 January 2021

We recently discussed how to break WPA2 keys very quickly using cloud computing. We've also looked at how to use a Rogue AP to capture user credentials from a network using PEAP (MSCHAP).

In this article we'll look at hardening Enterprise wireless networks from these attacks.

The most secure option is to utilise mutual authentication (where both the server and the client authenticate to each other) using digital certificate based authentication, such as offered by EAP-TLS. However, there can be more administrative overhead involved in the deployment of these networks and therefore PEAP may be offer a balance of security and overhead.

To be clear, we recommend the use of EAP-TLS wherever possible - but if you must use PEAP, we offer the following hardening steps:


Continue Reading